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IN THE CLAIMS 

Amended claims follow: 

1. (Currently Amended) An intrusion detection and analysis system comprising: 

a data monitoring device comprising a capture engine operable to capture data 
passing through the network in response to a trigger_ and configured to monitor network 
traffic, decode protocols for grouping packets into different pro tocol presentations and 
assembling the packets into high level protocol groups , and analyze received data jor 
managing the network bv collecting statistics, and detecti ng broken lines, traffic loads. 
and network errors ; 

an intrusion detection device separate from the data monito ring device, the 
intrusion detection device c omprising a detection engine operable to perform intrusion 
detection on data provided by the data monitoring device; 

application program interfaces configured to allow the intrusion detection device 
access to applications of the data monitoring device to perform intrusion detection; and 

memory for storing reference network information used by the intrusion 
detection device to determine if an intrusion has occurred; 

wherein the application program interfaces allow the intrusion detection device 
to leverage the separate data monitoring device, bv allowing the intrusion detection 
device to call an application program interface configured to open a protocol decoding 
application associated with the separate data monitoring devic e, and bv allowing the 
intrusion detection device to call an application program interface co nfigured to open an 
alarm generation application associated with the separate data monitoring device. 

2. (Original) The system of claim 1 wherein the reference network information 
comprises a signature database including signature profiles associated with a known 
network security violation and wherein the detection engine is operable to compare the 



PAGE 5115 * RCVD AT 10/12/2005 3:15:29 PM [Eastern Daylight rime] * SVR:USPTO-EFXRF-6/34 * DNIS:2738300 * CSID:4089714660 * DURATION (mrM$):0346 



OCT. 1 2.2005 1 2:26PM ZILKA-KOTAB, PC 



NO. 0479 P. 6 



data provided by the data monitoring device with the signature profiles to detect 
network intrusions. 

3. (Original) The system of claim 2 further comprising a parser operable to parse, 
generate, and load signatures at the detection engine. 

4. (Original) The system of claim 1 wherein the reference network information 
comprises a baseline state of network traffic and wherein the detect engine is operable 
to compare the data received by the capture engine to the baseline network state and 
look for anomalies. 

5. (Original) The system of claim 4 wherein the data monitoring device provides the 
baseline state of network traffic 

6. (Original) The system of claim 1 further comprising a log file configured to at least 
temporarily store reports generated by the detect engine. 

7. (Original) The system of claim 6 further comprising an alarm manager operable to 
generate alarms based on information generated by the log file. 

8. (Original) The system of claim 1 further comprising a filter configured to filter out 
packets received at the data monitoring device. 

9. (Cancelled) 

10. (Original) The system of claim 1 wherein the capture engine is configured to 
forward packets and temporarily store packets for later analysis by the data monitoring 
device. 
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1 1 . (Currently Amended) A method for performing intrusion detection with an 
intrusion detection and analysis system comprising a data monitoring device including a 
capture engine operable to capture data passing through the network i n response to a 
trigger and c onfigured to monitor network traffic, decode protocols for grouping 
packets into different protocol presentat ions and assembling the packets into high level 
protocol groups, and analyze received data for managing the network by collecting 
statistics, and detecting broken lines, traffic loads, an d network errors, and an intrusion 
detection device separate from the data monitoring dev ice, the intrusion detection 
device c oupled to the data monitoring device and configured to perform intrusion 
detection on data provided by the data monitoring device; the method comprising: 

receiving data at the data monitoring device; 

capturing at least a portion of the packets contained within the data; 

by allowing the intrusion detection device to call [anl at least one application 
program interface configured to open applications of the data monitoring device; and 

performing intrusion detection at the intrusion detection device utilizing at least 
one of the applications of the data monitoring devicei 

wherein the at least one application program interface allows the intrusion 
detection device to leverage the separate data monitoring device , bv allowing the 
intrusion detection device to call an application program interface configured to op en a 
protocol decoding application associated with the separate d ata monitoring device, and 
bv allowing the intrusion detection device to call an application program interface 
configured to open an alarm generation application associated with the separate data 
monitoring device . 

12. (Cancelled) 

13. (Cancelled) 



PAGE 7f15* RCVD AT 10/12/2005 3:15:29 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-6/34 * DNIS:2738300 * CSID :4089714660 1 DURATION (mnvss):0346 



OCT. 1 2. 2005 12:27PM ZILKA-KOTAB, PC 

5 



NO. 0479 P. 8 



14. (Original) The method of claim 1 1 further comprising filtering the data prior to 
capturing packets. 

15. (Original) The method of claim 11 wherein performing intrusion detection 
comprises performing signature matching. 

16. (Original) The method of claim 15 wherein the application program interfaces 
provide parsing of signatures used in signature matching. 

17. (Cancelled) 

1 8. (Original) The method of claim 1 1 wherein performing intrusion detection 
comprises detecting anomalies in the received data. 

19. (Currently Amended) A computer program product for performing intrusion 
detection with an intrusion detection and analysis system comprising a data monitoring 
. device including a capture engine operable to capture data passin g through the network 
in response to a trigger and configured to monitor network traffic, decode protocols for 
grou ping packets into different protocol presentations and assemblin g the packets into 
high level protocol groups , and analyze received data for managing the network by 
collecting statistics, and detecting broken lines, traffic loads , and network errors, and an 
intrusion detection device separate from the data mo nitoring device, the intrusion 
detection device c oupled to the data monitoring device and configured to perform 
intrusion detection on data provided by the data monitoring device; the product 
comprising; 

code that receives data at the data monitoring device; 
code that captures at least a portion of the packets contained within the data; 
code that calls ranl at least one application program interface configured to open 
applications of the data monitoring device; 
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code that performs intrusion detection at the intrusion detection device utilizing 
at least one of the applications of the data monitoring device; and 

a computer-readable storage medium for storing the codes; 

wherein the at least one application program interface allows the intrusion 
detection device to leverage the separate data monitoring device, bv blowing the 
intrusion detection device to call an application program interface configured to open a 
protocol decoding application associated with the separate data monitoring device, and 
bv allowing the intrusion detection device to call an application program interface 
configured to open an alarm generation application associated with the separate data 
monitoring device . 

20. (Currently Amended) The computer program product of claim 19 wherein the 
computer readable storage m edium is selected from the group consisting of CD-ROM, 
floppy disk, tape, flash memory, system memory, and h ard drive r and - data signal 
ombodiod in a carrier wav e. 

21 . (New) The system of claim 1 wherein at least one of the application program 
interfaces take the form of frame_contextjpointer_position. 

22. (New) The system of claim 1 wherein at least one of the application program 
interfaces include; 

frame_tcp_bridge, 
frame_udp_bridge, 
frame _ip_bridge, and 
frame_http_bridge. 
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